Are there any risks to running standalone snowflake on home network? If so, how significant are they?

I’m working on getting a standalone snowflake relay set up on my restricted NAT residential home network using Docker likely running on Fedora Workstation 41. I would like to know how much of a risk I would run by doing so, for example how big is the risk that my ISP would cut my service? Would threat actors attempt to breach my snowflake device? How likely would they be to breach it if it’s kept up-to-date?

Imho, setting up a stand-alone snowflake relay is pretty much safe. I use to run a TOR relay a couple of years back but some websites that I use and visit starting blocking me so I gave up my relay and focused on my snowflake relay which is hosted at home. In terms of security I placed a couple of measures to make sure that I’m safe.

Hope this helps :smiley:

Good to know! If you don’t mind sharing, what security measures did you implement or could you recommend? I have an OPNsense firewall available btw.

That’s good opnsense. I use to have pfsense on an old laptop but it already broke.
My security measures are just simple. I don’t have the luxury of securing my raspberry-pi on a wired network… my better half won’t allow dangling cables :laughing:

Local

  • So the raspberry-pi is on Debian and on a wireless network with AP isolation turned on
  • The raspberry-pi has nothing on it it’s just the snowflake proxy
  • I hardened most cli-commands via chmod (got this tip when I was tinkering with FreeBSD and my TOR relay)
  • I hardened the logs and cannot be modified or rotated
  • I also do a periodic checksum sha256 scan of important directories any discrepancy, will proceed to immediate shutdown. I also have the option to wipe everything and just restore from backup.

Remote

  • I use Wireguard VPN to get in then do an SSH to access the Raspberry-pi (firewall are set and enabled)
  • Or sometimes I SSH to my raspberry-pi (onion) via TOR and check / monitor
  • Finally here at home we use Qubes OS gave up windows 3 years ago

Hope this helps :smiley:

Standalone Snowflake proxy and the browser extension Snowflake proxy are roughly equivalent in this regard.

Pretty low. Should be a bit lower than running a non-exit Tor relay, as I said in Snowflake abuse - #3 by WofWca. As said on https://snowflake.torproject.org/, your IP is not exposed, i.e. people can’t post naughty content from your machine.
Also see Do Snowflake Proxies Reveal Tor Traffic to ISP? - #3 by ukmr.

In this regard the risk is roughly the same as joining a call in a web app, i.e. pretty low. It all comes down to WebRTC, and WebRTC is made to be secure.
There is also the code that is responsible for connecting to the Tor relays, but the proxy will only connect to destinations that are controlled by the owners of torproject.org.
So, in this regard the risk is also low.

The only issue I had when I set up my Snowflake proxy was about abuse. I trusted the security part.

In the public, Tor is referred to as the “dark web” and thus has an undeserved bad reputation. Like everything else, Tor will be abused by the few. You know the type of abuse I’m talking about. So am I aiding that abuse to occur and get myself into trouble? I have no idea what is going on in my proxy and have no way of knowing. I thus have deniability. Is that enough? I bet in some jurisdictions it is not.

The other “abuse” I try to avoid is people who keep a connection open for too long a period of time. I don’t know how and why they keep a connection open that long and don’t care to know. I’ve seen sessions open for 15hrs to 60hrs when I ran restricted. I use -capacity 9 with my unrestricted version so I developed a method (manual) to kick them out at about 8 hrs. I had a conversation with another user who used 3hrs but did it programmatically.